Subscribe to this blog

Follow by Email

Posts

It was announced that SHA1 have been broken in practice. On following post https://shattered.it/, you can learn how dangerous is becoming to still use this cryptographic hash function. Basically, now it's possible to have or create two different documents with same hash SHA1 signature.
For example: on shattered.it there are two pdf documents (shattered-1.pdf, shattered-2.pdf) with different contents but with same SHA1 hash ! If you don't believe the shattered.it, you can download the example pdfs locally and generate the SHA1 hash, for example using powershell and
Get-FileHash cmdlet:

If you don't believe your eyes, try it yourself :)

And finally as a simple conclusion, with this publicly available example in mind, I think it would be the best for your data, to start making plans for replacing SHA1 with SHA2 algorithm ASAP.

In this case, scheduled meetings to a user were mysteriously forwarded to a group of users. Helpdesk engineers have removed all the rules that could be seen for that user mailbox, and again all scheduled meetings for that user were again forwarded to this particular group of users. Helpdesk team escalated this user issue to Exchange admins in order to do same tracking. And from Exchange tracking logs can be seen that scheduled meetings were forwarded by mailbox rule ?!?!? :

But, where is that rule ? Get-InboxRule for this user mailbox returned nothing, because helpdesk engineers have removed all the rules, and still there is a rule in this user mailbox that is forwarding the scheduled meetings. So, obviously there is a rule corruption for this user mailbox, and MFCMAPI is your friend. Latest version of this tool can be downloaded from codeplex http://mfcmapi.codeplex.com/ .